FaceID: rise or end of FIDO?

One of the main new features presented during Apple keynote this September is a face recognition mechanism that will be part of the iPhone X. FaceID, how that mechanism is called, will initially be used as a way to unlock the phone screen, which is also how TouchID was introduced on the iPhone 5s in 2013. TouchID gained more significance when it provided App developers with an API. It became therefore possible to use fingerprint recognition as an authentication method for Apps and services. There’s no reason to believe that FaceID will not follow the same path.

Biometry without dedicated sensors

There’s a difference though: whereas capturing a fingerprint still requires a specific sensor – touchscreens are not yet there – and of course good algorithms, face recognition only needs good algorithms and a camera – a component that has been part of the iPhone since day one and has kept getting more sophisticated. To build TouchID, Apple had acquired AuthenTech in 2012, an Australian fingerprint sensor manufacturer. Samsung partner Synaptics replied by acquiring Validity in 2013 to release its own version of fingerprint sensors. To build FaceID, Apple only acqui-hired a couple of small AI startups.

This tells us 2 things. First, this move by Apple will most probably push the competition to enter this field as well, therefore most new smartphones will rather sooner than later be shipped with face recognition enabled. Second, among companies designing and selling software biometric tokens, there will be a couple of big winners (those signing deals or getting acquired) and a lot of losers. Indeed, your market disappears when what you’re trying to sell gets embedded by Apple (or by Samsung, or by Google) and becomes available “for free” to the developer ecosystem.

FaceID is a bittersweet news for the biometry industry

This is good news for the biometry community – volumes will explode as biometry will be routinely used by the masses, due to its presence on smartphones. Yet this is less good news for the biometry industry – companies that have been developing sensors – since this industry won’t really reap off the benefits of this massification. The problem is that the biometry community and the biometry industry are one and the same thing.

The biometry industry is betting on FIDO

One hope nourished by this industry is FIDO, an authentication standardization initiative launched early 2013. Its self-assigned mission is to foster the generalized adoption of strong authentication on the web in particular by standardizing biometric sensors. FIDO has been very successful in signing prestigious members and gathering support for its initiative. Most founding members of FIDO are part of the token industry (Validity, Nok Nok Labs, Yubico) with the notable exception of Paypal. Since then, many others have joined and gone through the FIDO certification process so they now have FIDO-certified tokens in their catalog, using some form of biometric technology for most of them.

Who’s supposed to buy these FIDO-certified tokens? According to a theory, users are going to buy tokens. However, this has proven wrong so far with a few exceptions. Some gamers and some holders of cryptocurrency wallets do indeed buy tokens, but this is hardly a market as such. The hopes for FIDO are mostly with banks and telcos. There are other interested “relying parties” such as healthcare providers but they are less likely to subsidize your token – unless they receive subsidies themselves (e.g. government projects); however multiple experiments have shown that this is never a sustainable model and that the whole thing collapses once subsidies are gone.

Industry push vs. de facto standard: guess who wins

At first, the move by Apple seems a good news for FIDO: there will be more and more biometric sensors available and therefore FIDO adoption will be easier – indeed, user equipment is a tough challenge for every technology, especially for consumer markets. FaceID could therefore be the trigger that FIDO has been longing for. It could also be its last chance since FIDO was formed almost 5 years ago, which is very long in the tech industry.

However, there are 2 major concerns. First, Apple has always remained silent about FIDO. Although biometric sensors and APIs available on its devices are now currently used in 2-factor authentication solutions (see e.g. inWebo use of biometry as a second factor), this has nothing to do with FIDO. Also, this is challenging for a bank (as an example) to make a technology choice and roll it out if a very significant part of its users (up to 50% in certain markets) own devices that come with a free yet alternative technology. Banks and most service providers need authentication technologies that can address 100% of their users, and if possible 100% of their devices as well. Said differently, with TouchID now FaceID and what comes tomorrow, Apple might be pulling the rug from under FIDO.

Second, although FIDO is becoming a standard, its main supporters are companies that might lose their market in a near future, as discussed above. Sure, we’re not yet there, no one has FaceID yet you might truly argue. Okay, but TouchID and smartphone fingerprint sensors achieved a major market penetration in 2 years, and so will face recognition (or it will be a flop). You might also argue that fingerprinting and face recognition are by far not the only biometric technologies – how about voice biometrics (speaker recognition), iris or vein biometrics, or bevioural authentication. Sadly, in terms of adoption by consumers, the prospect is probably even less rosy. Apple acquired Siri a long while ago and although speech recognition and voice biometrics are not quite the same, how big an effort would it be to add algorithms and an API on future iPhones? The same applies for technologies needing a specific sensor and for pure software using existing sensors as well. User adoption will very unlikely happen unless triggered by smartphone or laptop manufacturers.

The old authentication business model is at stake, not only FIDO

If secure authentication technologies and APIs become available “for free” on most devices as analysts predict it, the business model of strong authentication will rapidly complete its transformation, from a token-based business model that RSA introduced some 20 years ago and of which FIDO is a mere continuation, to a platform business model that inWebo pioneered in 2008 and that is now widely deployed.

Rise or end, let’s take the bets. I must warn you though, I’ve won some champagne in the past by betting on FIDO adoption.